EAP-TLS Wifi - without AD ?

jameson
Contributor II

We are running Jamf with nomad - so no bound to AD. We managed to get machine certificate to Mac from the WIndow CA, as the goal was to get EAP-TLS working

But we cannot manage to get the EAP-TLP working. Everytime when connecting and choosing the Machine certificate It fails

Can someone confirm that this can work also without the mac is bound to AD ?

12 REPLIES 12

mark_mahabir
Valued Contributor

Have a read through this thread.

We plan to make use of the new Jamf AD-CS Connector next year.

KRIECCO
Contributor

we are using ADCS already, but also have same issue on this

mojo21221
Contributor II

What does your cert authenticate against? Ours authenticates against the machine name in AD. Even though the Mac isn't bound to AD it still needs the "computer name" as a place holder in the correct OU in AD. We just create a new computer object with the name of the machine and poof machine cert works on a non-bound machine.

KRIECCO
Contributor

A workarround, but Then we have manually to create new computers all the time in Ad when they are enrolled to Jamf. But for testing it could be on

mojo21221
Contributor II

I was thinking just to test to see if that was why they were failing... Also, if that does get it working. This would only need to be done once per the life of the device. I think it could be somewhat automated via powershell. Not sure what your naming scheme is but should be doable. We just went through this change, so I feel your pain. Took quite a while and required a member of our networking team that was able to break down what the Auth server was looking for on the certificate.

Tigerhaven
Contributor

we use EAP-TLS wifi using SCEP and SCEP proxy from Jamf and we have not see any issues.

Kunal V

cjatsbm
New Contributor II

Having the same issue with our ADCS Connector... looking for machine based EAP-TLS wifi.. I can generate an AD certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers but not sure why it is not using the machine cert in the first place.

bwoods
Valued Contributor

@cjatsbm I'm having the same issue. Were you ever able to figure this out?

krojasAdvania
New Contributor II

@cjatsbm @bwoods I'm using ADCS and its working fine with machine cert. Had issue as you had until I noticed that I forgot to add in "certificate common name" under Trust in my Wifi config profile.

nwiseman
Contributor

If you're seeing this on Big Sur, make sure you're adding the entire certificate tree into the configuration profile. I was seeing the same issue where my once working profile no longer would authenticate. Spoke to apple and they suggested adding in the entire tree into the profile. Root, 802ca and then the template for the AD cert. As soon as we did this the connection worked as expected.

dlbrabb
New Contributor III

We have this working correctly in our environment. @nwiseman is correct on the entire tree of certificates needed. Has anybody had problems with the Macs not wanting to reconnect to their company SSID? I would say 90% of the time, we have to manually click on "Connect" or choose the SSID.

kendalljjohnson
Contributor II

I have been trying and failing with this process for a while now. Would anyone be able to shed some light on more specific settings that are needed on the Jamf Config Profile side and what specific properties within the computer record and cert?

We're using Microsoft's NPS Radius service on the back end. I've tried various options of the SAN Type/Value within the Cert payload and Username within the Wifi payload and have little success, just added the full tree and same thing. Any insight or suggestions would be greatly appreciated!